IP / CIDR calculation in MySQL, PHP and JavaScript

Matthias Leisi

Sunday, November 26. 2006

IP / CIDR calculation in MySQL, PHP and JavaScript

When writing the tools and website for the DNS Whitelisting project, http://www.dnswl.org/, I had to deal with a lot of IP calculation: data is stored in CIDR format, eg “127.0.0.1/32” to indicate a single IP address, “213.144.132.248/29” for a range of 213.144.132.248 to 213.144.132.254 and so on. RFC 1878 explains this notation in some detail.

Storing the dotted quad notation of an IP address would be pretty inefficient – the string is 15 characters long (four times up to three digits plus three dots), while it is technically just a “nice” display of a 32bit number. Additionally, comparing IP addresses (eg “is this address within a given range”) is a lot easier when done on the numeric representation since we can just use simple numeric comparison. In any case we need a way to convert between these two representations.

The CIDR notation itself is somewhat difficult to deal with – most humans will not be easily able to always know that the range “213.144.132.248/29” has “213.144.132.254” as it’s last IP address. We therefore also need a way to transform between CIDR and range notation. Unfortunately we need to do this in multiple environments, eg directly within the database (for certain batch jobs), in PHP (for regular backend operations) and in JavaScript (to avoid a server roundtrip on each transformation for the human reader).

MySQL

Luckily, MySQL has two functions to convert from dotted quad notation (“127.0.0.1”) to the corresponding decimal (2130706433), namely inet_aton and inet_ntoa (in case you wonder, that’s ascii to numeric and vice versa). The Miscellaneous Functions chapter of the MySQL reference has the details.

select inet_aton('127.0.0.1'); and select inet_ntoa(2130706433); do all the byte twiddling for us. Note that this also works for insert and update statements, eg insert into ... inet_aton('127.0.0.1') .... The network mask (the "32" in "127.0.0.1/32") can be stored as a regular integer.

Now that we know how to transform (2130706433, 32) into (127.0.0.1, 32), how do we transform a range (213.144.132.248, 29) into human readable “213.144.132.248 to 213.144.132.254”? There we need to do some calculations of our own. If we have a network mask of /32, this means just one single host. A mask of /24 indicates 255 addresses, a /16 gives 65535 and a /8 gives 16777215 addresses. Yes, that has something to do with a number series involving a power of 2 and a “minus 1”, or to be more exact:

last IP = first IP + (2^(32-mask)) - 1

In MySQL, this would translate into the following for (213.144.132.248, 29):

select inet_ntoa(inet_aton('213.144.132.248') + (pow(2, (32-29))-1));

PHP

We can apply the same logic to PHP as well. In PHP the functions to convert between dotted quad and numeric are called long2ip and ip2long (see the PHP Reference). The translation for (213.144.132.248, 29) would thus be:

$lastip = $firstip + pow(2, (32-$mask)) - 1;

Note the peculiarity of the long numerical type in PHP and how to get around that – the german de.comp.lang.php.* FAQ shows a workaround: http://www.php-faq.de/q/q-code-ip-bereich.html

JavaScript / ECMAScript

Unfortunately, JavaScript does not contain something similar to “inet_aton” or “ip2long”, so we have to build our own:

function ip2long(ip) {
    var ips = ip.split('.');
    var iplong = 0;
    with (Math) {
        iplong = ips<sup><a href="#fn0">0</a></sup>*pow(256,3)+ips<sup><a href="#fn1">1</a></sup>*pow(256,2)+ips<sup><a href="#fn2">2</a></sup>*pow(256,1)+ips<sup><a href="#fn3">3</a></sup>*pow(256,0)
    }
    return iplong;
}

	
function long2ip(l) {

    with (Math) {
        var ip1 = floor(l/pow(256,3));
        var ip2 = floor((l%pow(256,3))/pow(256,2));
        var ip3 = floor(((l%pow(256,3))%pow(256,2))/pow(256,1));
        var ip4 = floor((((l%pow(256,3))%pow(256,2))%pow(256,1))/pow(256,0));
    }
    return ip1 + '.' + ip2 + '.' + ip3 + '.' + ip4;
}

And the same power of two-thing to calculate the “last IP”:

function lastIP(ip, mask) {
    return ip + (Math.pow(2, (32 - mask))-1);
}

Bonus points

Dealing with user input is maybe the single most important security issue in web applications. We must therefore take care that we only pass proper IP addresses to any backend function. The easiest way to do this is through a regular expression – after all, we know exactly how a dotted quad representation of an IP address should look like (four times up to three digits, separated by dots). Thus the (Perl style) regex should look like

/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/

Validation of the numeric representation is of course trivial. In PHP:

if (!(is_numeric($ip)) { <b>kaboom</b>; }

It is a good idea to always trim() user input before validation or processing (if leading/trailing whitespace is not significant).

Posted by Matthias Leisi in DNS, IT, Security, Software at 09:56 | Comments (4) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

hello Matthias,

I am reading your comment on
http://chris-linfoot.net/plinks/CWLT-6HYCYN

I am trying to view headers in gmail. I am trying to track a online harrasser. Does the post below work for finding ip address? " little bit of command line magic:

for i in `host -t txt gmail.com | sed "s/^.v=spf1//" | sed "s/a://g" | sed "s/?all.//"`; do host -t a $i; done | sed "s/^.*address //" | sort | uniq | less

#1 dan on 2006-12-05 18:31 (Reply)

http://matthias.leisi.net/archives/173-IP-CIDR-calculation-in-MySQL,-PHP-and-JavaScript.html

javascript function long2ip is wrong

182.76.21.22 long is -1236527850
your js sais long2ip(-1236527850) = -74.-180.-235.-234
:)

#2 Alex Conrad on 2007-03-30 14:40 (Reply)

i want to know about the ip address calculation for 128 bit so kinsly send me the calculation

#3 shanmugam (Homepage) on 2007-05-07 15:05 (Reply)

ich blick da nicht durch :(
bzw. bin auf der suche nach lösungsansatz/tool welches mir aus einer "anfangs-ip" und einer "end-ip" den cidr berechnet um contentgrappern das handwerk zu legen …

#4 Dietmar (Homepage) on 2008-03-23 11:29 (Reply)

Add Comment

Textile-formatting allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

Quicksearch

Kategorien


All categories

Sicheres E-Mail

Einführung
CA
Postfix
Cyrus IMAP
Apache
Signieren

Postfix: TLS erzwingen für eingehende / ausgehende Mails

TLS Statistik
Test-Script
OpenSSL Cheat Sheet

Blog abonnieren

Add Google Reader

Blog Administration

Open login screen

Rights & Wrongs

Creative Commons License - Some Rights Reserved
Original content in this work is licensed under a Creative Commons License